Did the Leaker Exaggerate the NSA Internet Spying Program?

Josh Constine at TechCrunch says that the Guardian, or their source, Edward Snowden, is exaggerating the access that the NSA has to the systems of Microsoft, Yahoo, Google, Skype and other internet companies. Constine says that there is a separate, segregated system and requests still have to be made one by one.

The NSA may have wanted full firehoses of data from Google, Facebook and other tech giants, but the companies attempted to protect innocent users from monitoring via compliance systems that created segregated data before securely handing it over as required by law, according to individuals familiar with the systems used by the tech companies targeted by PRISM.

The widely criticized corroboration with the NSA therefore may have benefited citizens rather than being to their detriment.

My sources confirm that the NSA did not have direct access or any special instant access to data or servers at the PRISM targets, but instead had to send requests to the companies for the data. These requests must be complied with by law, but only if the government narrowly defines what it’s looking for. The government may have initially requested a firehose of data, and was happy to take this full data dump from the tech companies and sort it itself. Had the tech giants simply accepted these requests at the minimum level required by law, many innocent citizens’ data could have been monitored.

By working to create “a locked mailbox and give the government the key” which the New York Times reported, rather than allowing widespread monitoring, the firehose is restricted to a trickle of specific requests. When the NSA has specific people they want to data about, they make a specific, legal request for that data that the tech companies are required to comply with. Google or Facebook then puts the specific requested data into the locked mailbox where the government can access it. This keeps requested data about suspected terrorists or other people who are threats to national security segregated from that of innocent users.

By cooperating, companies can better ensure that each request is valid, and narrow enough in its scope. If the request is too broad, the tech companies can send it back and ask for a narrower pull. The method also ensure the data is securely transferred from the companies to the government, opposed to being more forcibly pulled by the NSA in ways that could have left it open for exploit by third-parties.

If this is true, that make it considerably more palatable — but it’s hardly a panacea. Bear in mind that the government can use National Security Letters without a warrant to request such information. also bear in mind that we know that NSLs have been used more often for non-terrorism investigations than for terrorism ones. The same is true of “sneak and peek” warrants. So I’d still like to know a lot more about the criteria used by both the government and the companies and the safeguards in place. Are warrants required? If not, the 4th Amendment is violated.

So if this is true, it reduces the danger posed by the NSA program but doesn’t eliminate it. And it does nothing about the privacy concerns for the Verizon metadata program (also followed by AT&T and Sprint).

After spending several years touring the country as a stand up comedian, Ed Brayton tired of explaining his jokes to small groups of dazed illiterates and turned to writing as the most common outlet for the voices in his head. He has appeared on the Rachel Maddow Show and the Thom Hartmann Show, and is almost certain that he is the only person ever to make fun of Chuck Norris on C-SPAN.

jamessweet

This was the impression I was already starting to get about PRISM, is that it was somewhat less than it was initially made out to be.

Nevertheless! It’s the whole “If this is true” part that you repeated at the beginning of each paragraph. Who freakin’ knows? The lack of transparency makes it impossible to police.

eric

He’s glossing over the constitutional issue, which is this (bold part added by me):

When the NSA has specific people they want to data about, they make a specific, legal request for that data without first getting a warrant that the tech companies are required to comply with.

timberwoof

“The widely criticized corroboration with the NSA therefore may have benefited citizens rather than being to their detriment.”

In other words, if the big corporations made the government trade in their automatic assault rifles for sniper rifles when they want to go citizen-hunting, that would benefit the citizens, who should feel grateful that an executive order would only target one or two of them instead of random crowds.

“When the NSA has specific people they want to data about, they make a specific, legal request for that data that the tech companies are required to comply with.”

This is almost just exactly like the Freedom of Information Act. When citizens have specific unclassified government activities they want to have data about, they can make a legal FOIA request for that data that the government can stonewall, redact, or conveniently lose.

Artor

So Constine & TechCrunch know this…how?

embraceyourinnercrone

Yeah, gotta love this little phrase in that TechCrunch article

“This keeps requested data about suspected terrorists or other people who are threats to national security segregated from that of innocent users.”

Of course you can probably be a considered a “suspected terrorist” for being part of Occupy Wall Street, the anti-war movement, GreenPeace, or other environmental group or donating to same.

Personally if I never have to hear the ” terra, terra, terra!” refrain again it will be too soon. And yet with all this information did it allow them to stop what happened in Boston. Nope. Does it stop any yahoo with the money from buying almost anything at a gun show? Nope.

Yes terrorism is terrible. I don’t live very far from Manhattan. The first few days after 9/11 were pretty scary. People I went to school with, worked and died in one of the towers, clients we talked to every day worked blocks away and we didn’t know at first if they were OK , it was frightening, but the absolute idiocy that has happened since is far scarier. In actuality the people who dropped the towers and hit the Pentagon achieved what they wanted.

They got us to turn ourselves into fear obsessed fools, willing to give up our rights and privacy for an illusion of safety.

And apropos of nothing, can I just say that the term “Department of Homeland Security” bugs me no end. I won’t Godwin the comments but you can guess what it brings to mind

trucreep

Also remember that the term “direct access” has a very different meaning in the tech world than it does for most other people; it’s considered having a person physically at the actual server. I don’t think that’s what most of us think of when we hear “direct access.”

I also assumed that these assurances of oversight and checks and balances were long ago dismissed by most for the obvious bullshit that it is….

Seriously, the damage control mode that the government is in would almost be funny if it wasn’t so serious.

baal

Pardon my tinfoil…It’s hardly surprising that a ‘big scoop” gets played up. It’s similarly unsurprising that the government and folks with contacts to the gov are doing a full court press damage control right now. So this story and the flood of others like it cannot be seen as fully honest reporting.

That said, given what I know about data bases and the government and the various dissemblings, it’s likely that the gov is hovering all info every where (Total Information Awareness’s larger progeny). This DB (these data sets) are then housed somewhere. The FEDGOV then goes and gets rubber stamps from FISA or equivalent to create specific uses of the database or to allow for specific farming sprees based on investigation x or y. See that way you get to have your cake and eat it too (all data full tracking of us citizens all the time & some fiction of process).

The leaker, with trivial tech-dev knowledge level, can probably code queries or kick off back room query tools to independently rifle through the db. Stopping that or keeping a close watch with the scope of employee numbers would be nearly impossible.

I don’t think I feel any better under my model than I do under a RT persistent sniffer model.

baal

Hrm, I need an edit button. I wasn’t dinging Ed’s honesty, rather that comment is to imply Constine should be taken with a grain of salt.

Michael Heath

embraceyourinnercrone writes:

Of course you can probably be a considered a “suspected terrorist” for being part of Occupy Wall Street, the anti-war movement, GreenPeace, or other environmental group or donating to same.

“Of course”? Really? Than you should easily be able to provide a cite validating that.

embraceyourinnercrone writes:

They got us to turn ourselves into fear obsessed fools, willing to give up our rights and privacy for an illusion of safety.

Perhaps the fear still exists and is now directed elsewhere. And I’m not sure why you think our security is an illusion. The facts seem to argue it’s very robust, to the point I’d happily ask that we risk a supposed reduction in security in order to better secure all people’s protections of our 4th, 5th, and 8th Amendment rights.

“Supposed” given that I don’t think we have to sacrifice our rights to better secure our safety, there are better ways to protect our security than contain the blowback from the west’s policies that create a demand for terrorism.

2. Representative Peter King, one of Brayton’s favorite congresscritters, has called for the arrest and prosecution of Glenn Greenwald. Since Greenwald currently resides in Brazil, which I seem to recall has no extradition treaty with the US, this doesn’t look like something that is going to happen.

http://www.facebook.com/profile.php?id=153100784 michaelbrew

You know, Heath, while I appreciate the importance of citations as a skeptic and a writer of many a paper, when someone uses the qualifier of “probably” that tends to imply speculation, in this case most likely based on familiarity with verified abuse of semantics by law enforcement personnel. Regardless, asking for a citation for what amounts to a guess is a bit facetious. As an aside, I’m pretty sure the “illusion of security” to which embraceyourinnercrone referred is more specifically the “illusion of security that is garnered specifically from these measures.” My impression is that you both agree on this issue, so I’m not sure why you feel the need to argue about it.

Apparenty the ACLU has filed a lawsuit today because it is a customer of Verizon Business Network Services which last week was ordered to turn over on an ongoing basis details such as who the ACLU calls,who calls them and when the calls are made. To me it sounds like a fishing expedition.

I will try to find the other info I would like to cite when I am can post from something other than my phone. Sorry for the lack of citation in the original comment

eoleen

Of course the leaker exaggerated. Besides, the NSA does not need to go to Google, etc. to gain traffic information: they already have their hooks into the Web, and have had since the beginning, when it was known as ARPANET.

The information they are getting from the phone company is simply the billing records, which, BY LAW, the phone companies are required to keep for 600 days. The reason is that, in the past, there were some egregious “billing errors” made by the phone companies which went uncorrected “because we don’t have the data any more” or “because we lost the data by accident”. Thus the requirement that the data be kept – in three copies, no less.

As a practical matter, the tapes, once written on, are never recycled: the data sits in save storage (in three places…) for forever and a day, or until we run out of storage space some time around the year 3000. Phone companies by tape, in one form or another, by the semi load.

THe data is kept “online” for some 60 to 90 days, so that a customer who wants to dispute a bill won’t cost the phone company an arm and a let trying to restore the data so that it is available “on line”: by having it on disk a service person can (attempt to) resolve the issue when the customer calls with his/her/their complaint. After that they have to dig out the data from tape: a forth set of data is kept in the data center for that purpose. After a year it is shuffled off to some off-site location for storage.

What NSA is doing is simply getting a copy of the data the phone company already has and is RE

http://www.ranum.com Marcus Ranum

It’s tricky and it’s been deliberately set up to be tricky. So you may have a national security letter, you may have an FBI warrant, you may have a FISA warrant and who knows what else.

I’d caution against being dismissive of what the whistelblowers (because there are now several of them) are saying. For one thing, their stories are fairly consistent and for another the usefulness of the system would be more of less zero, if it didn’t behave the way the whistleblowers are saying. I’ll get to that. And lastly, there are corroborating facts that speak to some fairly interesting capabilities as well as to (probably) illegal wiretapping.

First off, the government (and industry spokespeople) are choosing their words very carefully. That’s not an accident – these are experienced bureaucrats who are – in the words of Clapper, “respond[ing] in what I thought was the most truthful, or least untruthful, manner” – There is a lot of lying going on, most of it by omission. I describe some of it in a recent posting on the FM site, here:

The sniffer technologies they are using are fairly well-known; it’s a commercial upgrade of the old CARNIVORE system that got so much attention in the early 00s.

The spook closets like Room 641A have also been fairly extensively described – we’re talking a black room at the internet’s main peering points, full of racks of classified computer gear. There has been relatively little attempt to demonize the people who outed those rooms because they’re generally pretty credible networking specialists who know what they’re talking about: they’re telling the truth.

According to a NSA inspector general’s report obtained by The Post, PRISM allowed “collection managers [to send] content tasking instructions directly to equipment installed at company-controlled locations” rather than directly to company servers.

That fits exactly with my point that the way they do this is they don’t come with a warrant and get a thumb drive: they come with an NSL and install a device and the device’s principles of operation are classified. That way the providers have the fig-leaf of being able to say ‘we did not pro-actively provide them anything” (Facebook) – no, you did nothing at all; they just took what they wanted. An NSL ordering a provider to allow a bunch of spooks to install gear – classified gear – allows the provider to “honestly” say they don’t know anything. And, of course, there are always a few ordinary warrants coming in that the provider can serve in the usual manner.

But here are three other ways you can tell the whistleblowers are telling the truth:

1) the NSA wouldn’t be building a humongous data center in Utah and another in Maryland, capable of storing and analyzing yottabytes of data, unless they were expecting to be collecting a wee tad more than just what a google engineer hands over to them on a thumb drive!

2) systems for traffic analysis on telephone, sms, and other message traffic have no value unless you have all the call records so you can retrieve against them. when you decide you’re going to investigate all the phone calls made from my phone, to see if I called someone on a terrorism watch list (more likely: if I called Glenn Greenwald) the value of the system is knowing who’s on the other end of the call. more importantly, the value is being able to chain call records together – so you want to see who called so-and-so who called Glenn Greenwald. you do not do that kind of query by issuing 3 different warrants to the phone company and waiting for someone to hand over a thumb drive.

3) demonstrated capabilities show that the FBI was able to mysteriously access David Petraeus’ emails and phone calls going back for at least a year. how did they do that? contents not call records and traces – because they wouldn’t have known it was an affair if it was just a bunch of call records between someone and his biographer. that’s one set of facts; here’s another: when the FBI revealed Eliot Spitzer was enjoying prostitutes, that information came from a wiretap on the governor – why was the FBI tapping the governor is one question, but where did that wiretap come from? Stellar Wind: http://en.wikipedia.org/wiki/Stellar_Wind_%28code_name%29

This is not tinfoil hat brigade stuff: the existence of the capability has been demonstrated repeatedly, the individuals who are dumping details about it are credible and are technically accurate, and the government and FBI’s actions are consonant with having that kind of information.

It gets worse: it’s pretty clear that the FBI/NSA have been using surveillance capabilities to go after hackers (like anonymous and lulzsec) as well. They were scared shitless of those guys and were banging the cyberwar drums to get hackers included on the target-list as dangerous actors like terrorists and proliferators.

Short form: those of you who think the whistle-blowers are exaggerating need to do more research. The desirable capabilities of the system simply aren’t there if you’re not able to do fishing expeditions, and the whistleblowers like Klein describe systems that match systems known to exist. :/

eric

Michael Heath,

Just to add a bit to what @11 said, a citation isn’t really necessary in this case because of the larger point: since warrants are not required, the NSA gets to decide who counts as a ‘suspected terrorist.’

Personally, whether they are currently collecting information on people in (just an example) Greenpeace is nowhere near as important to me as whether they can without a warrant. The argument that “they aren’t doing that” basically amounts to a good behavior defense. That’s not good enough for me, because they could. I want to know that they can’t legally do it without the approval of the courts.

The recent slides from the powerpoint Snowdon released show that “boundless informant” is collecting 97 billion pieces of data per day. That’s from the NSA’s own briefing materials – is that an exaggeration?

http://adventuresinzymology.blogspot.com JJ831

@eoleen

” they already have their hooks into the Web, and have had since the beginning, when it was known as ARPANET.”

Um, I doubt that’s going to workout. The vast majority of the internet backbone is privately operated. Just because you have a “hook” into the internet, doesn’t mean that packets are traversing their legs. And since we are are talking about routed networks (layer 3+), only packets directed to their legs would go there.

Not that I care myself anyway. I never considered my internet communications to be private to begin with (advertisers and all that jazz, not to mention facebook and twitter are pretty damn public as it is. Email’s a little different, though)

GET PATHEOS NEWSLETTERS

Sign up for free newsletters and special offers

Get the Best of Patheos Newsletter Get the Atheist Newsletter Get the Dispatches From the Culture Wars Newsletter

Follow Dispatches From the Culture Wars

About the Author

After spending several years touring the country as a stand up comedian, Ed Brayton tired of explaining his jokes to small groups of dazed illiterates and turned to writing as the most common outlet for the voices in his head. Read More...